[PATCH] Allow matching HostName against Host entries
Iain Morgan
imorgan at nas.nasa.gov
Sat Apr 13 10:42:33 EST 2013
On Fri, Apr 12, 2013 at 19:06:50 -0500, Damien Miller wrote:
> On Fri, 12 Apr 2013, Ben Lindstrom wrote:
>
> >
> > Is there no way to pull this information from the resolv.conf file in
> > an universal way? It really would suck having yet another location for
> > DNS search paths to maintain an environment.
>
> Pulling it from resolv.conf permits attacks from a rogue/hostile DHCP
> server again. The main attack here is host subsitution, if a user happens
> to have multiple servers with the same hostname but different domains names
> (e.g. "www.good.com" and "www.evil.com") then someone who can spoof the
> suffix order could trick a ssh client that used it for canonicalisation
> to make a user connect to the wrong host completely transparently.
>
> It's an unlikely scenario for users on small networks, but in a large
> organisation with multiple subdomains it could be a useful trick for
> an attacker who wants to widen the set of hosts they have compromised.
>
> > And out of interest what would your intent be for those names who
> > still fail this qualification test?
>
> They would fall back to regular resolution.
>
> > ## Where minecraft "host" is really a fast alias to set username, an other
> > ## information to correctly log into generic.server.com without having to
> > ## hand specific them all the time.
> > Host minecraft
> > User minecraft
> > Hostname generic.server.com
>
> So you could do something like:
>
> Host minecraft
> User minecraft
> Hostname generic.server.com
>
> HostnameSuffixes foo.com ext.foo.com
>
I think you meant:
Host minecraft
User minecraft
Hostname generic.server.com
Host *
HostnameSuffixes foo.com ext.foo.com
--
Iain Morgan
More information about the openssh-unix-dev
mailing list